[ https://issues.apache.org/jira/browse/HADOOP-9421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13687233#comment-13687233 ]
Daryn Sharp commented on HADOOP-9421: ------------------------------------- Per Sanjay's request, here's a quick summary: This patch does not direct address deficiencies in negotiation process. It merely provides the flexibility to fix them in the near future. The basic changes are: * SASL protobufs * SASL protobufs wrapped with RPC header * Server advertised SASL auth methods - currently ignored by client Wrapping SASL negotiation in a RPC header avoids decoding errors. Ex. A secure client currently tries to decode a RPC exception from an incompatible connection header as a SASL message. The client also can't handle a RPC exception mid-stream during SASL negotiation. The RPC header allows the server and client to correctly decode the payload. Using the RPC headers, with the addition of a streamId, will also allow the _future potential_ to multiplex multiple UGIs over the same connection. Services like the NN can be overwhelmed by a stampede of connections. The NM may be an ideal candidate for aggregation of connections, or even a per-node multiplexor for tasks. Server advertisement of auth methods aims to address the current limitation of allowing 1 pre-determined auth or simple. Additional consideration is needed for a client-side whitelist to avoid server unexpectedly requesting weak authentication. In the current patch, the client ignores the server and blindly attempts the negotiation as it does today. +Other future features unlocked by this design+ * Brings us much closer to pluggable auth methods w/o changing server and client code * Client may select a server advertised auth method to: *# Support services and/or clusters with heterogenous auth methods (ex. thinking of knox, rhino, etc) *# *Critical to Y!*: IP failover, especially for HA with kerberos. The client needs the active NN's host to acquire a service ticket *# Simplify token selection by using an opaque identifier supplied by the server - will eliminate use_ip, and even the complex HA token logic *# Support accessing multi-interface hosts on all interfaces *# Support accessing services via any of their hostnames, ips, or CNAMEs * Ability to greatly reduce complexity of client/server auth code, and cleanly decouple SASL logic * As mentioned before, multiplexing of different UGIs over a shared connection > Convert SASL to use ProtoBuf and add lengths for non-blocking processing > ------------------------------------------------------------------------ > > Key: HADOOP-9421 > URL: https://issues.apache.org/jira/browse/HADOOP-9421 > Project: Hadoop Common > Issue Type: Sub-task > Affects Versions: 2.0.3-alpha > Reporter: Sanjay Radia > Assignee: Daryn Sharp > Priority: Blocker > Attachments: HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch, > HADOOP-9421.patch, HADOOP-9421-v2-demo.patch > > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira